Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
userdoc:tt_ipsec_vpn_strongswan [2016/12/08 09:09] droemel |
userdoc:tt_ipsec_vpn_strongswan [2021/02/13 08:31] abelbeck [IPsec VPN (strongSwan) Configuration] |
||
---|---|---|---|
Line 4: | Line 4: | ||
The web interface Network tab, "IPsec Peers" and "IPsec Mobile" | The web interface Network tab, "IPsec Peers" and "IPsec Mobile" | ||
+ | |||
+ | !!Note: | ||
Three key strongSwan features not found in ipsec-tools (racoon): | Three key strongSwan features not found in ipsec-tools (racoon): | ||
Line 13: | Line 15: | ||
How does this apply within AstLinux ... | How does this apply within AstLinux ... | ||
- | * It is clear to the development team that we can't " | + | * A point-and-click web interface like the deprecated |
* strongSwan is needed to support endpoints with changing IP's and dynamic DNS names using IKEv2 MOBIKE, racoon only supports IKEv1. | * strongSwan is needed to support endpoints with changing IP's and dynamic DNS names using IKEv2 MOBIKE, racoon only supports IKEv1. | ||
* strongSwan is needed to interoperate with [[https:// | * strongSwan is needed to interoperate with [[https:// | ||
- | * Either racoon or strongSwan can run at a time, so users can continue to use IPsec Peers / IPsec Mobile or use a new text configuration with IPsec strongSwan, but not both. | ||
- | At this point in time, the "IPsec strongSwan" | + | At this point in time, the "IPsec strongSwan" |
!!Warning ->!! It should go without saying, never use the example pre-shared key values shown below, always use as long as practical, randomly generated shared keys. | !!Warning ->!! It should go without saying, never use the example pre-shared key values shown below, always use as long as practical, randomly generated shared keys. | ||
Line 50: | Line 51: | ||
\\ | \\ | ||
- | Tested with a AVM FRITZ!Box Fon WLAN 7390 with FRITZ!OS 06.51 and strongSwan 5.5.1 | + | Tested with a AVM FRITZ!Box Fon WLAN 7390 with FRITZ!OS 06.51 and strongSwan 5.5.1 (AstLinux 1.2.9-pre 64-bit) |
astlinux.example.tld: | astlinux.example.tld: | ||
Line 61: | Line 62: | ||
| | ||
config setup | config setup | ||
- | | + | # |
+ | | ||
conn %default | conn %default | ||
dpddelay=15 | dpddelay=15 | ||
Line 81: | Line 83: | ||
aggressive=yes | aggressive=yes | ||
authby=psk | authby=psk | ||
- | auto=start | + | |
+ | auto=route | ||
+ | keyingtries=%forever | ||
+ | !!Note:!! '' | ||
+ | |||
\\ | \\ | ||
**astlinux.example.tld: | **astlinux.example.tld: | ||
Line 89: | Line 95: | ||
| | ||
@astlinux.example.tld @fritzbox.example.tld : PSK monkey123 | @astlinux.example.tld @fritzbox.example.tld : PSK monkey123 | ||
- | |||
- | \\ | ||
- | The Fritzbox 7390 (FW 6.51) accepts up 128 characters as Pre-shared Key, which can be generated e.g. with: | ||
- | |||
- | openssl rand -base64 96 | ||
\\ | \\ | ||
Line 155: | Line 156: | ||
\\ | \\ | ||
+ | |||
+ | !!Note:!! The Fritzbox 7390 (FW 6.51) accepts Pre-shared-Keys with a length up 128 characters, which can be generated e.g. with: | ||
+ | openssl rand -base64 96 | ||
+ | |||
+ | \\ | ||
===== Network to Network with Pre-Shared Key ===== | ===== Network to Network with Pre-Shared Key ===== | ||